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TTtfTTTO CLAIMS 
Claiml. (Currently Amended) An industrial network, comprising; 
a local area networic; 

one or more programmable logic controllers; and 

a sectirity policy implementation point (SPIP) comiected between the local area network 
and the one or more programmable logic controllers to isolate the one or more progr^nmable 
logic controllers and associated fectory machines from the local area network to prevent a pe^PA 
.... . ^...g^e^t r>^ r- — ^"'^ ""^^ profframmabV. lopic contn,U«^ 

... 1...^ .rea n ^^-^- ^^r.^... .nthcnticated to thp SPTP .nd a^&ofi7,pd to t.ke action on th e 
SP2. the SPIP being configured to participate in a Virtual Private Network (VPN) such that 
communications with the SPIP over the industrial network occur over a VPN tmnel. 

Claim 2 (Previously Presented) The industrial network of claim 1. wherein the SPIP is 
integrated with the programmable logic controller and wherein the SPIP is logically connected 
between the local area network and the one or more programmable logic controllers. 

Claim 3. (Previously Presented) The industrial network of claim 1, wherein the network 
corrtains a plurality of programmable logic controllers, wherein Ihe one or more programmable 
logic controllers are a subset of the plurality of programmable logic controllers, and wherem the 
SPIP is physically disposed between the local area network and the one or more programmable 
logic controllers. 

Claim 4 (Original) The industrial network of claim 3, wherein the local area network is an 
Etbemet network, wherein the SPIP is configured to communicate with network devices on the 
local area network over the Eliiemet network, and wherein the SPIP is configured to 
communicate with the programmable logic controller using a protocol selected from at least one 
of Profibus, ControUer Area Network. RS-232. RS-422, and RS^485. 
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Claims (Origtoal) The industrial network of claim 1, wherein the local area network inclu^^^ 
at least one Ethernet switcb/router, and >vher^in the SPIP is included as a blade in the Ethernet 
switch/router. 

Claim 6. (Origin^.1) The industrial nebvork of claim 5, ^erdn the SPIP is configured to 
implement security poUcy to control network access to at least one PLC connected to the 
Ethernet switch/router through the SPIP. 

Claim 7. (Previously Presented) The industrial network of claim 1, wherein the SPIP is ftirther 
configured to apply policy to limit access to the programmable logic controllers to individuals 
authorized to access the programmable logic controllers and to require authentication on the 
SPIP before allowing control instructions to pass from the local area network through the SPIP to 
the one or more programmable logic controller . 

Claims. (Canceled) 

Claim 9. (Origmal) The industrial network of claim 1, wherein the industrial network is an 
untrusted network configured to interconnect network services with a plurality of SPIPs 
associated with factory machines, and wherein the network services are configured to enable 
operation of the factory machines to be altered through the industrial network. 

ClaimlO. (Previously Presented) The industrial network of claim 1, wherein the SPIP is further 
configured to enable local access to the one or more programmable logic controllers by applying 
local authentication and authorization policy to enable the SPIP to enforce networic policy in 
connection with attempted local access. 

Claim 1 1 . (Ori^al) The industrial network of claim 10, wherein the local policy comprises: 

a local ax5cess poUcy configured to require authentication and authorization of at least one 

of an user and an accessing electronic device for non-emergency attempts to access the SPIP, and 
an alternate access poHcy configured to aUow access to the SPIP and maintain an audit 

log attendant to a local alttempt to access the SPIP. 
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Clairti 12. (Canceled) 

Claim 13. (Previously Presetited) The Industrial network of claim 1, wherein the SPIP 
comprises a local authentication poUcy and information associated with authorized users and- 
indicative of authorization policy information associated ^vith said at least one fectory machine. 

Claim 14. (Currently Amended) A Security PoUcy Implementation Point (SPIP) for use m sn 

industrial network, comprismg: 

a local path ee«fig««d to implement a local access policy related to direct local access to 

one or more programmable logic controllers; and 

a network path comiccted between the industrial network and the one or more 
programmable logic conlrollers to control access to the programmable logic controller via Ihe 
industrial network, the network path bo m£ , oonftg^iro d to «etete isobtin^the one or more 
programmable logic controllers and associated f^tory machines from the industnal network to 
^r^^. . ..rson us.- - r ° — ■>-^t nro«T.m from accessing the on. or more programmable 
.„ni^11^ nve r ^v^^ i^^^i ^re. network HnVss ..th^ticated to th. SPTP and authori.^ to 
t^ y. .^n. or, the SPIP tl,. n^ork nathb j p articipation in .Iso implementing a Virtual Private 
Network such that communications with the SPIP over Ihe industrial network occur over a VPN 
toimel. 

Claim 15. (Previously Presented) The SPIP of claim 14. fiiriher comprising programmable logic 
controller circuitry configured to implement the one or more programmable logic controUers and 
to function to control at least one factory machine. 

Claim 16. (Previously Presented) The SPIP of claim 15. wherein the local access policy 
includes enabling access to an associated factory machine to enable operation of the fectory 
machine to be altered without verification of authorization and anlhentication of an user seeking 
to alter the operation during an emergency. 
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a«m 17, (Origi™l) Tl,e SPIP of claim 16. thereto to local comprises ^ 

«cou„^ mo4,^c coofl^ „ r.co>d »:ce«« » .t Ic^ o.e of ^ SPIP. an .«oc,a.^ 
progmmiabl. logic controller, and sn associued fectoiy machine. 

Claim 18. (Mgina.) Tb. SPIP of cl»m 15. vvherdn toe local p«h con,m»»«.auftentic.«on 

nodule configured », ^ <^ " *" * 

arough SPIP. and an auAcrizalion module configured « aasess an amhorizafion aa««««d 
with the individual «, ascertain whether the individual ia aulhori«d to «=cesa the device. 

Claim 19 (Original) The SPIP of claim 18, wher«nth.a.«^o»modul.i»">irt«*ceto 
a Ugh^»eight Directory Accca. Protocol (LDAP) aerver. and wh«r«« fl.e «ithenlic«ion module 
intcrfece to a Remote Access Dial In User Service (RADWS) server. 



IS an 



Claim 20. (Original) ^ SPIP of claim 18, wherein the authentication and authorization 
nxodules maintain a local copy of authorized users and authentication policy to allow local access 



to the SPIP. 



aaitn 21. (Previously The SPIP of claim 15, whe«in the SPIP i. configured to 

«„y policy to limit acceas to the programmable logic controllers to individuals authortzed to 
access the p,«gra«m.ble logic controUers and to require authenticadon on the SPIP before 
allowing control inatmctiona ,0 pass flora the Industrie networic though the SPIP to ti« one or 

more prograinmable logic cotitroUers. 

Claim 22. (Original) The SPIP of claim 15. fiirther comprising network ports configured to 
interface with the industrial network, and output potts configured to interfecc with a 
programmable logic controller. 

Claim 23. (Original) The SPIP of claim 22, wherein the network ports are configured to 
communicate on the industrial network utilizing an Ethernet protocol; and wherein the output 
ports are configured to communicate with the progrsmmable logic controller using a protocol 
understandable by the programmable logic controller. 
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data 24 (Original) T*. SPIP of cbta 15. fWh^ ««V*i«g P""* 
interface wi* «>e induaM,! »«.o*, .ogic c«fl^ .o Unpl^en. . 

a3.oci,..d with a prog«o,m.bte logic coowUcr. and W-ftce pona corf^^ed to »«rface 
a factory machme. 

Claim 25. (Original) The SPlP of claim 24, wherein the interfece ports cornprise at least orie 
input port configu^d to receive i.put from an «.vixonmeatal .ensor. and at least one output port 
configured to control at least one electro-mechaiucal device. 
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